Enhanced Filtering for Connectors Mailchimp Spoof intra-org

Copper Contributor

Hi,

 

We have a hybrid exchange setup. Our mx-records points to a on-premise third-party anti-spam server. This server sends mails to another internal relay-server who sends it to our on-premise exchange. The on-premise exchange sends mails to exchange-online.

We have enabled "Enhanced Filtering for Connectors", "Automatically detect and skip the last IP address".

Newsletters from our organization with mailchimp are delivered to junk folder (mailchimp is in our SFP record)

Detection technologies: Spoof intra-org

SPF: Pass

 

Any idea's how we could make sure the mails are delivered in the inbox, without having to all the Ip-ranges from mailchimp to the Spoofed senders Tenant Allow List?

 

Kind regards,

Jeroen

2 Replies

Hi @jgeernaert 

 

You are probably using a From Address like @yourdomain.tld as Sender Address.

This means an external Email is coming into the Organization with a Mail From (Envelope) from *mcsv.net
SPF is tested again Mail From. So you do not need to add the SPF Records to your Domain.


Example Mail from Mailchimp

Authentication-Results: spf=pass (sender IP is 198.2.143.227) smtp.mailfrom=mail227.atl291.mcsv.net; dkim=pass (signature was verified) header.d=daszelt.ch;dmarc=bestguesspass action=none header.from=daszelt.ch;compauth=pass reason=109 Received-SPF: Pass (protection.outlook.com: domain of mail227.atl291.mcsv.net designates 198.2.143.227 as permitted sender) receiver=protection.outlook.com; client-ip=198.2.143.227; helo=mail227.atl291.mcsv.net; pr=C

Now the From is from one of your Accepted Domains > That looks like spoofing

 

From: =?utf-8?Q?DAS=20ZELT?= <email address removed for privacy reasons>
Reply-To: =?utf-8?Q?DAS=20ZELT?= <email address removed for privacy reasons>
To: <email address removed for privacy reasons> Date: Sat, 16 Dec 2023 13:18:55 +0000

Workaround:
Use a Subdomain as Sender in Mailchimp like @newsletter.domain.tld

Regards
Andres

The Rocket Science Group ranges aren't that fragmented. The following mail flow rule doesn't do what you want but might inspire others on this forum. I haven't checked the ranges in some time but my recipients don't report any spam traceable back to RSG:

New-TransportRule -Name 'Filter Mandrill from Mailchimp spam'
-Comments 'Pushes Mailchimp spam to SCL 7. Exempts Mandrill and domains for which we tolerate Mailchimp
-Mode Enforce

-SenderIpRanges 148.105.0.0/16, 198.2.128.0/18, 205.201.128.0/20
-ExceptIfSenderIpRanges 205.201.139.0/24, 205.201.136.0/23, 205.201.134.128/25, 205.201.131.128/25, 198.2.186.0/23, 198.2.180.0/24, 198.2.178.0/23, 198.2.177.0/24, 198.2.136.0/23, 198.2.132.0/22, 198.2.128.0/24
-ExceptIfSenderDomainIs 'exempted-domain.one', 'exempted-domain.two', 'mailchimp.com'

-PrependSubject '[BULK NETWORK] '
-SetAuditSeverity 'Low'
-ApplyHtmlDisclaimerLocation Prepend
-ApplyHtmlDisclaimerFallbackAction Wrap
-ApplyHtmlDisclaimerText '<br>
<div style="font-size:11pt; font-family: ''Calibri'',sans-serif;">
<div style="background-color:#FFFCE3; border:1px dotted #003333; padding:.8em; ">
<p align=center style="font-size:11pt; line-height:11pt; font-family:''Calibri'',serif;">
This e-mail is tagged. See <a href="https://tenancy.sharepoint.com/sites/mydept/SitePages/E-mail-tags.aspx"> https://tenancy.sharepoint.com/sites/mydept/SitePages/E-mail-tags.aspx</a> for more information.
<br><br>
----------------------------------------------------------------------------------------------------------------------------------------------<br><br>
</p>
</div>'
-SetSCL 7